Recently I tried to define a correlation rule, which correlates some
"correlated events":

Say cruleA, cruleB and cruleC.

- cruleA correlates general events, creates ceventA.
- cruleB correlates general events, creates ceventB.
- cruleC correlates events created from cruleA and cruleB, such as
ceventA and ceventB.

I tried using either EventName or SentinelProcessingComponentID. It
worked when I test the rule. However, it doesn't work, nothing's fired,
when the rule is deployed.

May I ask if it's possible to achieve this? and how?


jackcheng's Profile: https://forums.netiq.com/member.php?userid=1387
View this thread: https://forums.netiq.com/showthread.php?t=51672